Security fix in Ruby on Rails 2.3.5

Ruby on Rails 2.3.5 was released over the weekend which provides several bug-fixes and one security fix. It should be fully compatible with all prior 2.3.x releases and can be easily upgraded to with “gem update rails”.

The most interesting bits are outlined below:

XSS Weakness in strip_tags
Rails 2.3.5 fixes a weakness in the strip_tags function in Ruby on Rails. Due to a bug in the parsing code inside HTML::Tokenizer regarding non-printable ASCII characters, an attacker can include values which certain browsers will then evaluate.

Improved compatibility with Ruby 1.9
There were a few small bugs preventing full compatibility with Ruby 1.9. However, we wouldn’t be surprised you were already running Rails 2.3.X successfully before these bugs were fixed (they were small).

RailsXss plugin availability
As you may have heard, in Rails 3 we are now automatically escaping all string content in erb (where as before you needed to use “h()” to escape). If you want to have this functionality today you can install Koz’s RailsXxs plugin in Rails 2.3.5.

Fixes for the Nokogiri backend for XmlMini
With Rails 2.3 we were given the ability to switch out the default XML parser from REXML to other faster parsers like Nokogiri. There were a few issues with using Nokogiri which are now resolved, so if your application is parsing lots of xml you may want to switch to this faster XML parser.